On Sat, Nov 29, 2003 at 08:14:38PM -0500, jon baer wrote:
> while it would be really nice to see or have the ability to let Snort rules
> actually *be* ethereal capture filters (any thoughts on that?)
If that involves doing all filtering in userland, it would be acceptable
only as an option, *not* as the sole behavior. Filtering in the kernel
means that packets that don't pass the filter aren't copied up to the
application; avoiding that copy can considerably reduce the CPU overhead
of capturing, which might be important on a high-traffic network if you
only want some packets. However, it means living with the filtering
capabilities offered by the kernel, which are typically either BPF, the
less-capable "CMU/Stanford" packet filter, or the even less-capable
filtering mechanisms of Irix's snoop sockets.
(Libpcap hides from the application concerns about the limitations of the
kernel filtering capabilities - but it does so by doing the filtering in
user space if the kernel can't handle BPF. That means that, on
platforms where the kernel can't handle BPF, all packets are copied up
to user space; at some point in the future it might be able to do in the
kernel filtering that the kernel's filtering agent can handle.)
Platforms with a BPF interpreter in the kernel include:
the BSDs;
recent Linuxes (if the right option was turned on when the
kernel was built);
Win32 with WinPcap.